Windows 2008R2 DCs, two in one site, one in another
Windows 2008 functional level
I've had two instances in the past week where users, several hours after changing their passwords, had their accounts locked out. I used LockoutStatus to track down the DC where the event 4740/lockout happened, and then read the calling workstation from there. In both cases, the user didn't have any active or idle session on the remote desktop server where the lock was being generated. I checked further with Process Explorer and I couldn't even find any processes running in their user context.
I would unlock the account, and in under a minute, there would be six bad password attempts (our GP setting) and the account would be locked out. I could repeat this process indefinitely.
In both instances, when I rebooted the RD VM, the issue went away and didn't return. In one case that was somewhat disruptive as it was an application server. In the second case it was a domain controller and had no user impact.
I've seen this before when a user has an orphaned RD session idle for months, or with badly behaved applications, but this seeming dissociation from any active user process is really odd.
LockoutStatus always shows the lastPasswordSet timestamp in sync, replication occurs within fifteen minutes, and repadmin shows me both the expected topology and no errors.
I'm at a total loss. What more can I check for?